[scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]

1 Feb 2022


      Hey folks,
Here's the latest report and I think some of these are new tests rather
than new code.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 31 Jan 2022 23:09:01 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 new defect(s) introduced to Das U-Boot found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)
** CID 345920:  API usage errors  (CHAR_IO)
/tools/bmp_logo.c: 165 in main()
________________________________________________________________________________________________________
*** CID 345920:  API usage errors  (CHAR_IO)
/tools/bmp_logo.c: 165 in main()
159     		"#define __BMP_LOGO_DATA_H__\n\n");
160     
161     	/* read and print the palette information */
162     	printf("unsigned short bmp_logo_palette[] = {\n");
163     
164     	for (i=0; i<n_colors; ++i) {
...
...
...
CID 345920:  API usage errors  (CHAR_IO)
Assigning the return value of "fgetc" to char "b->palette[(int)(i * 3 + 2)]" truncates its value.

165     		b->palette[(int)(i*3+2)] = fgetc(fp);
166     		b->palette[(int)(i*3+1)] = fgetc(fp);
167     		b->palette[(int)(i*3+0)] = fgetc(fp);
168     		x=fgetc(fp);
169     
170     		printf ("%s0x0%X%X%X,%s",
** CID 345919:  Resource leaks  (RESOURCE_LEAK)
/tools/image-host.c: 969 in fit_config_get_regions()
________________________________________________________________________________________________________
*** CID 345919:  Resource leaks  (RESOURCE_LEAK)
/tools/image-host.c: 969 in fit_config_get_regions()
963     		len += strlen(node_inc.strings[i]) + 1;
964     	}
965     	region_prop = malloc(len);
966     	if (!region_prop) {
967     		printf("Out of memory setting up regions for configuration '%s/%s'\n",
968     		       conf_name, sig_name);
...
...
...
CID 345919:  Resource leaks  (RESOURCE_LEAK)
Variable "region" going out of scope leaks the storage it points to.

969     		return -ENOMEM;
970     	}
971     	for (i = len = 0; i < node_inc.count;
972     	     len += strlen(node_inc.strings[i]) + 1, i++)
973     		strcpy(region_prop + len, node_inc.strings[i]);
974     	strlist_free(&node_inc);
** CID 345918:  Error handling issues  (CHECKED_RETURN)
/tools/bmp_logo.c: 41 in skip_bytes()
________________________________________________________________________________________________________
*** CID 345918:  Error handling issues  (CHECKED_RETURN)
/tools/bmp_logo.c: 41 in skip_bytes()
35         return val;
36     }
37     
38     void skip_bytes (FILE *fp, int n)
39     {
40     	while (n-- > 0)
...
...
...
CID 345918:  Error handling issues  (CHECKED_RETURN)
Calling "fgetc(fp)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]

41     		fgetc (fp);
42     }
43     
44     __attribute__ ((__noreturn__))
45     int error (char * msg, FILE *fp)
46     {
** CID 345917:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 121 in read_bin_file()
________________________________________________________________________________________________________
*** CID 345917:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 121 in read_bin_file()
115     
116     	*data = buf;
117     	*bin_size = bin_stat.st_size;
118     err:
119     	fclose(g);
120
...
...
...
CID 345917:  Resource leaks  (RESOURCE_LEAK)
Variable "buf" going out of scope leaks the storage it points to.

121     	return ret;
122     }
123     
124     /**
125      * write_capsule_file - write a capsule file
126      * @bin:	FILE stream
** CID 345916:  Code maintainability issues  (UNUSED_VALUE)
/tools/bmp_logo.c: 168 in main()
________________________________________________________________________________________________________
*** CID 345916:  Code maintainability issues  (UNUSED_VALUE)
/tools/bmp_logo.c: 168 in main()
162     	printf("unsigned short bmp_logo_palette[] = {\n");
163     
164     	for (i=0; i<n_colors; ++i) {
165     		b->palette[(int)(i*3+2)] = fgetc(fp);
166     		b->palette[(int)(i*3+1)] = fgetc(fp);
167     		b->palette[(int)(i*3+0)] = fgetc(fp);
...
...
...
CID 345916:  Code maintainability issues  (UNUSED_VALUE)
Assigning value from "fgetc(fp)" to "x" here, but that stored value is overwritten before it can be used.

168     		x=fgetc(fp);
169     
170     		printf ("%s0x0%X%X%X,%s",
171     			((i%8) == 0) ? "\t" : "  ",
172     			(b->palette[(int)(i*3+0)] >> 4) & 0x0F,
173     			(b->palette[(int)(i*3+1)] >> 4) & 0x0F,
** CID 345915:  Control flow issues  (NO_EFFECT)
/lib/image-sparse.c: 214 in write_sparse_image()
________________________________________________________________________________________________________
*** CID 345915:  Control flow issues  (NO_EFFECT)
/lib/image-sparse.c: 214 in write_sparse_image()
208     					   response);
209     				return -1;
210     			}
211     
212     			blks = write_sparse_chunk_raw(info, blk, blkcnt,
213     						      data, response);
...
...
...
CID 345915:  Control flow issues  (NO_EFFECT)
This less-than-zero comparison of an unsigned value is never true. "blks < 0UL".

214     			if (blks < 0)
215     				return -1;
216     
217     			blk += blks;
218     			bytes_written += ((u64)blkcnt) * info->blksz;
219     			total_blocks += chunk_header->chunk_sz;
** CID 345914:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/tools/mkeficapsule.c: 96 in read_bin_file()
________________________________________________________________________________________________________
*** CID 345914:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/tools/mkeficapsule.c: 96 in read_bin_file()
90     	}
91     	if (stat(bin, &bin_stat) < 0) {
92     		fprintf(stderr, "cannot determine the size of %s\n", bin);
93     		ret = -1;
94     		goto err;
95     	}
...
...
...
CID 345914:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
"bin_stat.st_size > 18446744073709551615UL" is always false regardless of the values of its operands. This occurs as the logical operand of "if".

96     	if (bin_stat.st_size > SIZE_MAX) {
97     		fprintf(stderr, "file size is too large for malloc: %s\n", bin);
98     		ret = -1;
99     		goto err;
100     	}
101     	buf = malloc(bin_stat.st_size);
** CID 345913:    (TAINTED_SCALAR)
/drivers/core/ofnode.c: 477 in ofnode_read_string_list()
________________________________________________________________________________________________________
*** CID 345913:    (TAINTED_SCALAR)
/drivers/core/ofnode.c: 473 in ofnode_read_string_list()
467     	count = ofnode_read_string_count(node, property);
468     	if (count < 0)
469     		return count;
470     	if (!count)
471     		return 0;
472
...
...
...
CID 345913:    (TAINTED_SCALAR)
Passing tainted expression "count + 1" to "dlcalloc", which uses it as an offset.

473     	prop = calloc(count + 1, sizeof(char *));
474     	if (!prop)
475     		return -ENOMEM;
476     
477     	for (i = 0; i < count; i++)
478     		ofnode_read_string_index(node, property, i, &prop[i]);
/drivers/core/ofnode.c: 477 in ofnode_read_string_list()
471     		return 0;
472     
473     	prop = calloc(count + 1, sizeof(char *));
474     	if (!prop)
475     		return -ENOMEM;
476
...
...
...
CID 345913:    (TAINTED_SCALAR)
Using tainted variable "count" as a loop boundary.

477     	for (i = 0; i < count; i++)
478     		ofnode_read_string_index(node, property, i, &prop[i]);
479     	prop[count] = NULL;
480     	*listp = prop;
481     
482     	return count;
** CID 345912:  Null pointer dereferences  (FORWARD_NULL)
/lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest()
________________________________________________________________________________________________________
*** CID 345912:  Null pointer dereferences  (FORWARD_NULL)
/lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest()
226     		     sig_data = sig_data->next) {
227     #ifdef DEBUG
228     			EFI_PRINT("Msg digest in database:\n");
229     			print_hex_dump("    ", DUMP_PREFIX_OFFSET, 16, 1,
230     				       sig_data->data, sig_data->size, false);
231     #endif
...
...
...
CID 345912:  Null pointer dereferences  (FORWARD_NULL)
Passing null pointer "hash" to "memcmp", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]

232     			if (sig_data->size == size &&
233     			    !memcmp(sig_data->data, hash, size)) {
234     				found = true;
235     				free(hash);
236     				goto out;
237     			}
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
----- End forwarded message -----
-- 
Tom

Tom Rini

tags (0)

participants (1)